package org.springframework.security.oauth2.server.authorization.web;

import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import org.springframework.core.log.LogMessage;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.MediaType;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.endpoint.OAuth2ParameterNames;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationException;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationCodeRequestAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.authentication.OAuth2AuthorizationConsentAuthenticationToken;
import org.springframework.security.oauth2.server.authorization.web.authentication.DelegatingAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationCodeRequestAuthenticationConverter;
import org.springframework.security.oauth2.server.authorization.web.authentication.OAuth2AuthorizationConsentAuthenticationConverter;
import org.springframework.security.web.DefaultRedirectStrategy;
import org.springframework.security.web.RedirectStrategy;
import org.springframework.security.web.authentication.AuthenticationConverter;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.util.RedirectUrlBuilder;
import org.springframework.security.web.util.UrlUtils;
import org.springframework.security.web.util.matcher.AndRequestMatcher;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.NegatedRequestMatcher;
import org.springframework.security.web.util.matcher.OrRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.web.util.UriComponentsBuilder;
import org.springframework.web.util.UriUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.0.2.jar:org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter.class */
public final class OAuth2AuthorizationEndpointFilter extends OncePerRequestFilter {
    private static final String DEFAULT_AUTHORIZATION_ENDPOINT_URI = "/oauth2/authorize";
    private final AuthenticationManager authenticationManager;
    private final RequestMatcher authorizationEndpointMatcher;
    private final RedirectStrategy redirectStrategy;
    private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource;
    private AuthenticationConverter authenticationConverter;
    private AuthenticationSuccessHandler authenticationSuccessHandler;
    private AuthenticationFailureHandler authenticationFailureHandler;
    private String consentPage;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.0.2.jar:org/springframework/security/oauth2/server/authorization/web/OAuth2AuthorizationEndpointFilter$DefaultConsentPage.class */
    public static class DefaultConsentPage {
        private static final MediaType TEXT_HTML_UTF8 = new MediaType("text", "html", StandardCharsets.UTF_8);

        private DefaultConsentPage() {
        }

        private static void displayConsent(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, Authentication authentication, Set<String> set, Set<String> set2, String str2) throws IOException {
            String generateConsentPage = generateConsentPage(httpServletRequest, str, authentication, set, set2, str2);
            httpServletResponse.setContentType(TEXT_HTML_UTF8.toString());
            httpServletResponse.setContentLength(generateConsentPage.getBytes(StandardCharsets.UTF_8).length);
            httpServletResponse.getWriter().write(generateConsentPage);
        }

        private static String generateConsentPage(HttpServletRequest httpServletRequest, String str, Authentication authentication, Set<String> set, Set<String> set2, String str2) {
            HashSet<String> hashSet = new HashSet();
            HashSet<String> hashSet2 = new HashSet();
            for (String str3 : set) {
                if (set2.contains(str3)) {
                    hashSet2.add(str3);
                } else if (!str3.equals(OidcScopes.OPENID)) {
                    hashSet.add(str3);
                }
            }
            StringBuilder sb = new StringBuilder();
            sb.append("<!DOCTYPE html>");
            sb.append("<html lang=\"en\">");
            sb.append("<head>");
            sb.append("    <meta charset=\"utf-8\">");
            sb.append("    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, shrink-to-fit=no\">");
            sb.append("    <link rel=\"stylesheet\" href=\"https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css\" integrity=\"sha384-JcKb8q3iqJ61gNV9KGb8thSsNjpSL0n8PARn9HuZOnIxN0hoP+VmmDGMN5t9UJ0Z\" crossorigin=\"anonymous\">");
            sb.append("    <title>Consent required</title>");
            sb.append("\t<script>");
            sb.append("\t\tfunction cancelConsent() {");
            sb.append("\t\t\tdocument.consent_form.reset();");
            sb.append("\t\t\tdocument.consent_form.submit();");
            sb.append("\t\t}");
            sb.append("\t</script>");
            sb.append("</head>");
            sb.append("<body>");
            sb.append("<div class=\"container\">");
            sb.append("    <div class=\"py-5\">");
            sb.append("        <h1 class=\"text-center\">Consent required</h1>");
            sb.append("    </div>");
            sb.append("    <div class=\"row\">");
            sb.append("        <div class=\"col text-center\">");
            sb.append("            <p><span class=\"font-weight-bold text-primary\">" + str + "</span> wants to access your account <span class=\"font-weight-bold\">" + authentication.getName() + "</span></p>");
            sb.append("        </div>");
            sb.append("    </div>");
            sb.append("    <div class=\"row pb-3\">");
            sb.append("        <div class=\"col text-center\">");
            sb.append("            <p>The following permissions are requested by the above app.<br/>Please review these and consent if you approve.</p>");
            sb.append("        </div>");
            sb.append("    </div>");
            sb.append("    <div class=\"row\">");
            sb.append("        <div class=\"col text-center\">");
            sb.append("            <form name=\"consent_form\" method=\"post\" action=\"" + httpServletRequest.getRequestURI() + "\">");
            sb.append("                <input type=\"hidden\" name=\"client_id\" value=\"" + str + "\">");
            sb.append("                <input type=\"hidden\" name=\"state\" value=\"" + str2 + "\">");
            for (String str4 : hashSet) {
                sb.append("                <div class=\"form-group form-check py-1\">");
                sb.append("                    <input class=\"form-check-input\" type=\"checkbox\" name=\"scope\" value=\"" + str4 + "\" id=\"" + str4 + "\">");
                sb.append("                    <label class=\"form-check-label\" for=\"" + str4 + "\">" + str4 + "</label>");
                sb.append("                </div>");
            }
            if (!hashSet2.isEmpty()) {
                sb.append("                <p>You have already granted the following permissions to the above app:</p>");
                for (String str5 : hashSet2) {
                    sb.append("                <div class=\"form-group form-check py-1\">");
                    sb.append("                    <input class=\"form-check-input\" type=\"checkbox\" name=\"scope\" id=\"" + str5 + "\" checked disabled>");
                    sb.append("                    <label class=\"form-check-label\" for=\"" + str5 + "\">" + str5 + "</label>");
                    sb.append("                </div>");
                }
            }
            sb.append("                <div class=\"form-group pt-3\">");
            sb.append("                    <button class=\"btn btn-primary btn-lg\" type=\"submit\" id=\"submit-consent\">Submit Consent</button>");
            sb.append("                </div>");
            sb.append("                <div class=\"form-group\">");
            sb.append("                    <button class=\"btn btn-link regular\" type=\"button\" onclick=\"cancelConsent();\" id=\"cancel-consent\">Cancel</button>");
            sb.append("                </div>");
            sb.append("            </form>");
            sb.append("        </div>");
            sb.append("    </div>");
            sb.append("    <div class=\"row pt-4\">");
            sb.append("        <div class=\"col text-center\">");
            sb.append("            <p><small>Your consent to provide access is required.<br/>If you do not approve, click Cancel, in which case no information will be shared with the app.</small></p>");
            sb.append("        </div>");
            sb.append("    </div>");
            sb.append("</div>");
            sb.append("</body>");
            sb.append("</html>");
            return sb.toString();
        }
    }

    public OAuth2AuthorizationEndpointFilter(AuthenticationManager authenticationManager) {
        this(authenticationManager, DEFAULT_AUTHORIZATION_ENDPOINT_URI);
    }

    public OAuth2AuthorizationEndpointFilter(AuthenticationManager authenticationManager, String str) {
        this.redirectStrategy = new DefaultRedirectStrategy();
        this.authenticationDetailsSource = new WebAuthenticationDetailsSource();
        this.authenticationSuccessHandler = this::sendAuthorizationResponse;
        this.authenticationFailureHandler = this::sendErrorResponse;
        Assert.notNull(authenticationManager, "authenticationManager cannot be null");
        Assert.hasText(str, "authorizationEndpointUri cannot be empty");
        this.authenticationManager = authenticationManager;
        this.authorizationEndpointMatcher = createDefaultRequestMatcher(str);
        this.authenticationConverter = new DelegatingAuthenticationConverter(Arrays.asList(new OAuth2AuthorizationCodeRequestAuthenticationConverter(), new OAuth2AuthorizationConsentAuthenticationConverter()));
    }

    private static RequestMatcher createDefaultRequestMatcher(String str) {
        AntPathRequestMatcher antPathRequestMatcher = new AntPathRequestMatcher(str, HttpMethod.GET.name());
        AntPathRequestMatcher antPathRequestMatcher2 = new AntPathRequestMatcher(str, HttpMethod.POST.name());
        RequestMatcher requestMatcher = httpServletRequest -> {
            String parameter = httpServletRequest.getParameter("scope");
            return StringUtils.hasText(parameter) && parameter.contains(OidcScopes.OPENID);
        };
        RequestMatcher requestMatcher2 = httpServletRequest2 -> {
            return httpServletRequest2.getParameter(OAuth2ParameterNames.RESPONSE_TYPE) != null;
        };
        return new OrRequestMatcher(new OrRequestMatcher(antPathRequestMatcher, new AndRequestMatcher(antPathRequestMatcher2, requestMatcher2, requestMatcher)), new AndRequestMatcher(antPathRequestMatcher2, new NegatedRequestMatcher(requestMatcher2)));
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!this.authorizationEndpointMatcher.matches(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        try {
            Authentication convert = this.authenticationConverter.convert(httpServletRequest);
            if (convert instanceof AbstractAuthenticationToken) {
                ((AbstractAuthenticationToken) convert).setDetails(this.authenticationDetailsSource.buildDetails(httpServletRequest));
            }
            Authentication authenticate = this.authenticationManager.authenticate(convert);
            if (!authenticate.isAuthenticated()) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
            } else {
                if (!(authenticate instanceof OAuth2AuthorizationConsentAuthenticationToken)) {
                    this.authenticationSuccessHandler.onAuthenticationSuccess(httpServletRequest, httpServletResponse, authenticate);
                    return;
                }
                if (this.logger.isTraceEnabled()) {
                    this.logger.trace("Authorization consent is required");
                }
                sendAuthorizationConsent(httpServletRequest, httpServletResponse, (OAuth2AuthorizationCodeRequestAuthenticationToken) convert, (OAuth2AuthorizationConsentAuthenticationToken) authenticate);
            }
        } catch (OAuth2AuthenticationException e) {
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(LogMessage.format("Authorization request failed: %s", e.getError()), e);
            }
            this.authenticationFailureHandler.onAuthenticationFailure(httpServletRequest, httpServletResponse, e);
        }
    }

    public void setAuthenticationDetailsSource(AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource) {
        Assert.notNull(authenticationDetailsSource, "authenticationDetailsSource cannot be null");
        this.authenticationDetailsSource = authenticationDetailsSource;
    }

    public void setAuthenticationConverter(AuthenticationConverter authenticationConverter) {
        Assert.notNull(authenticationConverter, "authenticationConverter cannot be null");
        this.authenticationConverter = authenticationConverter;
    }

    public void setAuthenticationSuccessHandler(AuthenticationSuccessHandler authenticationSuccessHandler) {
        Assert.notNull(authenticationSuccessHandler, "authenticationSuccessHandler cannot be null");
        this.authenticationSuccessHandler = authenticationSuccessHandler;
    }

    public void setAuthenticationFailureHandler(AuthenticationFailureHandler authenticationFailureHandler) {
        Assert.notNull(authenticationFailureHandler, "authenticationFailureHandler cannot be null");
        this.authenticationFailureHandler = authenticationFailureHandler;
    }

    public void setConsentPage(String str) {
        this.consentPage = str;
    }

    private void sendAuthorizationConsent(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken, OAuth2AuthorizationConsentAuthenticationToken oAuth2AuthorizationConsentAuthenticationToken) throws IOException {
        String clientId = oAuth2AuthorizationConsentAuthenticationToken.getClientId();
        Authentication authentication = (Authentication) oAuth2AuthorizationConsentAuthenticationToken.getPrincipal();
        Set<String> scopes = oAuth2AuthorizationCodeRequestAuthenticationToken.getScopes();
        Set<String> scopes2 = oAuth2AuthorizationConsentAuthenticationToken.getScopes();
        String state = oAuth2AuthorizationConsentAuthenticationToken.getState();
        if (hasConsentUri()) {
            this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, UriComponentsBuilder.fromUriString(resolveConsentUri(httpServletRequest)).queryParam("scope", String.join(" ", scopes)).queryParam("client_id", clientId).queryParam(OAuth2ParameterNames.STATE, state).toUriString());
            return;
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Displaying generated consent screen");
        }
        DefaultConsentPage.displayConsent(httpServletRequest, httpServletResponse, clientId, authentication, scopes, scopes2, state);
    }

    private boolean hasConsentUri() {
        return StringUtils.hasText(this.consentPage);
    }

    private String resolveConsentUri(HttpServletRequest httpServletRequest) {
        if (UrlUtils.isAbsoluteUrl(this.consentPage)) {
            return this.consentPage;
        }
        RedirectUrlBuilder redirectUrlBuilder = new RedirectUrlBuilder();
        redirectUrlBuilder.setScheme(httpServletRequest.getScheme());
        redirectUrlBuilder.setServerName(httpServletRequest.getServerName());
        redirectUrlBuilder.setPort(httpServletRequest.getServerPort());
        redirectUrlBuilder.setContextPath(httpServletRequest.getContextPath());
        redirectUrlBuilder.setPathInfo(this.consentPage);
        return redirectUrlBuilder.getUrl();
    }

    private void sendAuthorizationResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Authentication authentication) throws IOException {
        OAuth2AuthorizationCodeRequestAuthenticationToken oAuth2AuthorizationCodeRequestAuthenticationToken = (OAuth2AuthorizationCodeRequestAuthenticationToken) authentication;
        UriComponentsBuilder queryParam = UriComponentsBuilder.fromUriString(oAuth2AuthorizationCodeRequestAuthenticationToken.getRedirectUri()).queryParam(OAuth2ParameterNames.CODE, oAuth2AuthorizationCodeRequestAuthenticationToken.getAuthorizationCode().getTokenValue());
        if (StringUtils.hasText(oAuth2AuthorizationCodeRequestAuthenticationToken.getState())) {
            queryParam.queryParam(OAuth2ParameterNames.STATE, UriUtils.encode(oAuth2AuthorizationCodeRequestAuthenticationToken.getState(), StandardCharsets.UTF_8));
        }
        this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, queryParam.build(true).toUriString());
    }

    private void sendErrorResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationException authenticationException) throws IOException {
        OAuth2AuthorizationCodeRequestAuthenticationException oAuth2AuthorizationCodeRequestAuthenticationException = (OAuth2AuthorizationCodeRequestAuthenticationException) authenticationException;
        OAuth2Error error = oAuth2AuthorizationCodeRequestAuthenticationException.getError();
        OAuth2AuthorizationCodeRequestAuthenticationToken authorizationCodeRequestAuthentication = oAuth2AuthorizationCodeRequestAuthenticationException.getAuthorizationCodeRequestAuthentication();
        if (authorizationCodeRequestAuthentication == null || !StringUtils.hasText(authorizationCodeRequestAuthentication.getRedirectUri())) {
            httpServletResponse.sendError(HttpStatus.BAD_REQUEST.value(), error.toString());
            return;
        }
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("Redirecting to client with error");
        }
        UriComponentsBuilder queryParam = UriComponentsBuilder.fromUriString(authorizationCodeRequestAuthentication.getRedirectUri()).queryParam("error", error.getErrorCode());
        if (StringUtils.hasText(error.getDescription())) {
            queryParam.queryParam(OAuth2ParameterNames.ERROR_DESCRIPTION, UriUtils.encode(error.getDescription(), StandardCharsets.UTF_8));
        }
        if (StringUtils.hasText(error.getUri())) {
            queryParam.queryParam(OAuth2ParameterNames.ERROR_URI, UriUtils.encode(error.getUri(), StandardCharsets.UTF_8));
        }
        if (StringUtils.hasText(authorizationCodeRequestAuthentication.getState())) {
            queryParam.queryParam(OAuth2ParameterNames.STATE, UriUtils.encode(authorizationCodeRequestAuthentication.getState(), StandardCharsets.UTF_8));
        }
        this.redirectStrategy.sendRedirect(httpServletRequest, httpServletResponse, queryParam.build(true).toUriString());
    }
}
